CN104144158A - Policy-based automated consent method and device - Google Patents

Policy-based automated consent method and device Download PDF

Info

Publication number
CN104144158A
CN104144158A CN201410185123.7A CN201410185123A CN104144158A CN 104144158 A CN104144158 A CN 104144158A CN 201410185123 A CN201410185123 A CN 201410185123A CN 104144158 A CN104144158 A CN 104144158A
Authority
CN
China
Prior art keywords
client computer
resource
access
agreement
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410185123.7A
Other languages
Chinese (zh)
Other versions
CN104144158B (en
Inventor
S·G·加宁
S·B·魏登
C·S·普拉纳姆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HCL Technology Co., Ltd.
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN104144158A publication Critical patent/CN104144158A/en
Application granted granted Critical
Publication of CN104144158B publication Critical patent/CN104144158B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to a policy-based automated consent method and a device. A technique for intelligent automated consent is described by which a client may be automatically authorized to access a resource owner's protected information (e.g., a profile) based on the owner's previous authorization decisions and/or other client classifications. Using this approach to granting consent, the resource owner is not required to intervene during the authorization step for each client that is requesting access. Clients may be categorized, and authorization given to individual clients based on the category to which they belong and/or the scope of the access request. The technique may be implemented with user-centric identity protocols, as well as with delegated authorization protocols. The technique provides policy-based consent grants.

Description

Method and apparatus for the automatic agreement based on strategy
Technical field
Identity Management in disclosure relate generally to networked environment.
Background technology
The identity protocols of customer-centric (for example OpenID) and delegable agreement (for example OAuth2.0) need user for example, to authorize and agree to for the client computer (, website) of wishing calling party profile information.Conventionally via obtaining this mandate at identity provider or other authorization server place to the network list of user's prompting.The information that list comprises sign client computer, data type, one or more operation or other contextual information, end user can use this information to make agreement decision-making.By filling in list or agreement being otherwise provided, then user can allow client computer to carry out follow-up (with automatically) access to subscriber profile information.But in current execution mode, user must authorize each client computer, because do not have known technology to provide automatic agreement for the specific client for for example thering is certain general character with other client computer.Therefore,, when access has the website of similarity, especially, in the situation that agreeing to that decision-making does not continue longer-term storage, authorize and require to bring a lot of troubles to user.
The access of user management (UMA) is a kind of draft agreement; how its definition Resource Owner can control the access to locked resource of the client computer that operated by any requesting party; wherein resource is positioned on the Resource Server of any amount, and wherein concentrates authorization server to carry out management access based on Resource Owner's strategy.This solution is entrusted to another system by authorization decision, and this another system again must each client requests of checking.But UMA agreement undefined any mechanism are for the decision-making of Resource Owner's construction strategy or carry out strategic decision-making by Access Management Access person.
Summary of the invention
According to the disclosure; describe a kind of technology of automatically agreeing to for intelligence, can use described technology, the previous authorization decision based on Resource Owner and/or the classification of other client computer; possessory protected information (for example, profile) described in automatic authorization client access.Make to authorize in this way agreement, during the authorisation step of each client computer of request access, no longer need described Resource Owner to intervene.Can classify to client computer, and the scope of the classification based under individual client and/or access request, for individual client provides mandate.Can use identity protocols and the delegable agreement of customer-centric to realize described technology.Described technology provides the agreement based on tactful to authorize.
According to an embodiment, describe a kind of management and access locked resource is authorized to the method for agreement.Described locked resource is associated with Resource Owner.First described method receives the request of access locked resource, and described request has scope and client associations.When receiving, execution analysis (analysis request URI conventionally) is to identify the feature of described client computer.Described feature based on described client computer and the described scope of described request, application strategy is to judge whether described client computer should receive the automatic agreement of the described locked resource of access.If based on described strategy, described client computer should receive automatic agreement, to described client computer, returns to given information.In one embodiment, described given information is OAuth token, and then described client computer can be used described OAuth token to obtain to the access of described locked resource and without the explicit agreement from described Resource Owner.
Can there is several different methods and determine described client computer feature.Preferably, can be with reference to one or more information services.Described information service is such as comprising URL grader, territory tag service, URL prestige engine, privacy policy service etc.If can not meet described strategy, to described Resource Owner, send prompting to obtain the explicit agreement to access.When receiving described agreement, can upgrade described strategy and apply described strategy for request in future.
Some correlation properties more of the present invention have been summarized above.It is exemplary that these characteristics should be construed as merely.Can be by applying by different way invention disclosed or by revising the present invention that will describe, obtaining many other favourable results.
Accompanying drawing explanation
For a more complete understanding of the present invention and advantage, with reference now to the description below in conjunction with accompanying drawing, these accompanying drawings are:
Fig. 1 illustrates wherein the block diagram of the distributed data processing environment of illustrative aspects that can realization example embodiment;
Fig. 2 is the block diagram of the data handling system of illustrative aspects that wherein can realization example embodiment;
Fig. 3 illustrates according to the representative system for the automatic agreement decision-making based on strategy of the present disclosure;
Fig. 4 illustrates representativeness the first use-case that relates to the first client computer website;
Fig. 5 illustrates representativeness the second use-case that relates to the second client computer website;
Fig. 6 illustrates the process streams of an exemplary embodiment; And
Fig. 7 illustrates the policy management system that wherein can realize policy engine of the present disclosure.
Embodiment
With reference now to accompanying drawing,, specifically with reference to Fig. 1-2, provide the exemplary diagram that wherein can realize the data processing circumstance of exemplary embodiment of the present disclosure.Should be understood that Fig. 1-2 is only exemplary, and be not intended to assert or imply about wherein realizing any restriction of the various aspects of disclosed theme or the environment of embodiment.Without departing from the spirit and scope of the present invention in the situation that can to shown in environment make many modifications.
With reference now to accompanying drawing,, Fig. 1 illustrates wherein the diagrammatic representation of the example distributed data handling system of various aspects that can realization example embodiment.Distributed data processing system 100 can comprise wherein the computer network of various aspects that can realization example embodiment.Distributed data processing system 100 comprises at least one network 102, and it is that the medium of communication link is provided between various device for linking together at distributed data processing system 100 and computer.Network 102 can comprise connection, for example wired, wireless communication link or optical cable.
In the example shown, server 104 and server 106 and memory cell 108 are connected to network 102.In addition, client computer 110,112 and 114 is also connected to network 102.These client computer 110,112 and 114 are such as being personal computer, network computer etc.In the example shown, server 104 provides data, for example boot files, operation system image and application for client computer 110,112 and 114.In the example shown, client computer 110,112 and 114 is client computer of server 104.Distributed data processing system 100 can comprise other server, client computer and other unshowned equipment.
In the example shown, distributed data processing system 100 is internets, and simultaneously network 102 represents and in global range, uses network that TCP/IP (TCP/IP) protocol suite intercoms mutually and the set of gateway.Core in internet is the trunk of the high-speed data communication lines between host node or main frame, and it comprises the computer system of thousands of business, government, education and other route data and message.Certainly, distributed data processing system 100 also can be implemented as and comprises many dissimilar networks, such as Intranet, local area network (LAN) (LAN), wide area network (WAN) etc.As mentioned above, Fig. 1 is intended to as an example, not be intended to as the architectural framework restriction to the different embodiment of disclosed theme, therefore, the element-specific shown in Fig. 1 should not be regarded as about wherein realizing the environmental limit of exemplary embodiment of the present invention.
With reference now to Fig. 2,, the block diagram of the example data treatment system of various aspects that can realization example embodiment is shown wherein.Data handling system 200 is examples for the computer the client computer 110 in Fig. 1, and the computer usable code or the instruction that realize the process of exemplary embodiment of the present disclosure can be positioned at wherein.
With reference now to Fig. 2,, the block diagram of data handling system that can realization example embodiment is shown wherein.Data handling system 200 is server 104 in Fig. 1 or an example of the computer client computer 110, and the computer usable program code of the process of realization example embodiment or instruction can be positioned at wherein.In this illustrative examples, data handling system 200 comprises telecommunication optical fiber channel network 202, and it provides communication between processor unit 204, memory 206, permanent storage device 208, communication unit 210, I/O (I/O) unit 212 and display 214.
Processor unit 204 is for carrying out the instruction of the software that can be loaded into memory 206.Processor unit 204 can be the set that comprises one or more processors or can be multiple processor cores, specifically depend on specific realization.In addition, processor unit 204 can be realized by one or more heterogeneous processor systems, wherein on one single chip, has primary processor and auxiliary processor simultaneously.As another illustrative examples, processor unit 204 can be the symmetric multiprocessor system of a plurality of processors of comprising same type.
Memory 206 and permanent storage device 208 are examples of memory device.Memory device be any can be temporarily and/or the hardware of permanent storage information.In these examples, memory 206 can be for example random access memory or any other suitable volatibility or non-volatile memory device.Permanent storage device 208 can be taked various forms, specifically depends on specific realization.For example, permanent storage device 208 can comprise one or more assemblies or equipment.For example, permanent storage device 208 can be hard disk drive, flash memory, CD-RW, can rewrite tape or above-mentioned certain combination.The medium that permanent storage device 208 is used can be also mobile.For example, removable hard disk drive can be for permanent storage device 208.
In these examples, communication unit 210 provides and the communicating by letter of other data handling system or equipment.In these examples, communication unit 210 is network interface unit.Communication unit 210 can by with physics with one of wireless communication link or all provide and communicate by letter.
I/O unit 212 allows to carry out input and output data with the equipment that other can be connected to data handling system 200.For example, I/O unit 212 can provide to connect by keyboard, mouse and input to realize user.In addition, I/O unit 212 can send to printer by output.Display 214 is provided for showing to user the mechanism of information.
Instruction for operating system and application or program is positioned at permanent storage device 208.These instructions can be loaded into memory 206 to carried out by processor unit 204.Processor unit 204 can be used computer implemented instruction (can be arranged in memory (for example memory 206)) to carry out the process of different embodiment.These instructions are called program code, computer usable program code or computer readable program code, and they can read and carry out by the processor in processor unit 204.In different embodiment, program code for example can be included in, in different physics or tangible computer-readable medium (memory 206 or permanent storage device 208).
Program code 216 is arranged in optionally movably computer-readable medium 218 with functional form, and can be loaded or be transferred to data handling system 200 to carried out by processor unit 204.In these examples, program code 216 and computer-readable medium 218 form computer program 220.In an example, computer-readable medium 218 can be taked tangible form, for example CD or disk, CD or disk are inserted into or are placed in the driver or miscellaneous equipment of a part that belongs to permanent storage device 208, for example, to be transferred to the memory device (hard disk drive) of a part that belongs to permanent storage device 208.In tangible form, computer-readable medium 218 can also be taked the form of permanent storage device, for example, be connected to hard disk drive, thumb actuator or the flash memory of data handling system 200.The computer-readable medium 218 of tangible form is also referred to as computer recordable storage medium.In some cases, computer recordable media 218 may be irremovable.
Alternatively, can, by the communication link to communication unit 210 and/or by the connection to I/O unit 212, program code 216 be transferred to data handling system 200 from computer-readable medium 218.In illustrative examples, communication link and/or connection can be physics or wireless.Computer-readable medium can also be taked the form of non-tangible medium, for example, comprise communication link or the wireless transmission of program code.For the different assemblies shown in data handling system 200, not aim to provide the relevant architectural limitation that can realize the mode of different embodiment.Can in following data handling system, realize different exemplary embodiments: this system comprises the assembly except the assembly for those assemblies shown in data handling system 200 or alternative those assemblies.Illustrative examples shown in other assembly shown in Fig. 2 can be different from.As an example, the memory device in data handling system 200 is any hardware unit that can store data.Memory 206, permanent storage device 208 and computer-readable medium 218 are examples of the memory device of tangible form.
In another example, bus system can be for realizing telecommunication optical fiber channel network 202, and can comprise one or more bus (for example system bus or input/output bus).Certainly, bus system can realize by the architecture of any suitable type, and this architecture provides transfer of data being connected between the different assemblies of bus system or equipment.In addition, communication unit can comprise one or more equipment for transmitting and receive data, for example modulator-demodulator or network adapter.In addition, memory can be for example memory 206, or the high-speed cache of for example finding in interface and may reside in the storage control hub in telecommunication optical fiber channel network 202.
Can write for carrying out the computer program code of operation of the present invention with the combination in any of one or more programming languages, described programming language comprises object-oriented programming language-such as JavaTM, Smalltalk, Objectvie-C, C++ etc., also comprises conventional process type programming language-such as " C " language or similar programming language.Program code can for example, be write with interpretative code (Python).Program code can fully be carried out, partly on subscriber computer, carries out, as an independently software kit execution, part part on subscriber computer, carry out or on remote computer or server, carry out completely on remote computer on subscriber computer.In relating to the situation of remote computer, remote computer can be by any kind network-comprise local area network (LAN) (LAN) or wide area network (WAN)-be connected to subscriber computer, or, can be connected to outer computer (for example utilizing ISP to pass through Internet connection).Technology herein can also realize in unconventional IP network.
Person of an ordinary skill in the technical field should be understood that the hardware in Fig. 1-2 can change to some extent, specifically depends on realization.Except the hardware shown in Fig. 1-2 or substitute these hardware, can use other internal hardware or ancillary equipment, such as the nonvolatile memory of flash memory, equivalence or CD drive etc.In addition,, in the situation that do not depart from the spirit and scope of disclosed theme, the process of exemplary embodiment can be applied to be different from the multi-processor data process system of previously mentioned smp system.
As will be seen, technology described here can be in conjunction with all client-server of standard as shown in Figure 1 example operations, and wherein client machine is communicated by letter with the addressable network door in internet of carrying out in set comprising one or more machines.End user operation can access door and with the mutual attachable equipment in internet of door (for example, the mobile device of desktop computer, notebook, support internet etc.).Conventionally, each client computer or server machine are the data handling systems (example as shown in Figure 2) that comprises hardware and software, and these entities for example, communicate with one another by network (internet, Intranet, extranet, dedicated network) or any other communication media or link.Data handling system generally includes one or more processors, operating system, one or more application and one or more utility.Application in data handling system provides the machine support to Web service, includes but not limited to the support to HTTP, SOAP, XML, WSDL, UDDI and WSFL etc.Can be from World Wide Web Consortium (W3C) acquisition about the information of SOAP, WSDL, UDDI and WSFL, this alliance is responsible for exploitation and safeguards these standards; About the further information of HTTP and XML can obtain from internet engineering task group (IETF).Suppose to be familiar with these standards.
By extra background, authentication is the process of one group of voucher that authentication of users provides or representative of consumer provides.Some things that some things of knowing by inspection user, some things that user has or user belong to (that is, relevant some physical features of the user) and realize authentication.Some things that user knows can comprise shared secret (for example user's password), or some things (for example user's encryption key) that only has specific user to know by checking.Some things that user has can comprise smart card or hardware token.Some physical features of relevant user can comprise biological characteristic input, for example fingerprint or retina figure.It should be noted that user natural person conventionally but not necessarily; User can be machine, computing equipment, or uses the data handling system of other type of computational resource.It shall yet further be noted that user conventionally but not necessarily there is single unique identifier; In some cases, a plurality of unique identifiers can be associated with unique user.
Service Ticket is one group of challenge/response information for various authentication protocols.For example, username and password combination is the Service Ticket of familiar form.The Service Ticket of other form can comprise various forms of challenge/response information, public-key infrastructure (PKI) certificate, smart card, living things feature recognition etc.Service Ticket is different from authentication assertion: Service Ticket is used certificate server or service to provide by user, a part as authentication protocol sequence, and authentication assertion is about successfully providing and the statement of the Service Ticket of authentication of users, shifting if desired subsequently between entity.
Single-sign-on (SSO) is a kind of access control mechanisms, and it can make user authenticate once (for example,, by username and password is provided) and obtain the access to software resource across a plurality of systems.Conventionally, SSO system can make user access the resource in enterprise or tissue.Federated single sign-on (F-SSO), across the concept of a plurality of enterprises expansion single-sign-on, is therefore set up partnership relation between different tissues and enterprise.F-SSO system generally includes the agreement such as SAML, and these agreements allow Yi Ge enterprise (for example, identity provider) that user's identity and other attribute are offered to another enterprise (for example, service provider).F-SSO system contributes to use suitable agreement (being generally HTTP), in credible mode, user's voucher is transferred to service provider from identity provider.In typical F-SSO realizes, identity provider and service provider have following F-SSO system: it comprises logic so that authenticated user is set up user's voucher, and generate comprise user profile encryption safe token (for example, cookie).In addition, service provider can also comprise one or more target application.Target application can be arranged in same Web environment, or a part for the different Web environment in same service provider.
In traditional client-server authentication model, client computer is used the resource of its voucher access services device trustship.Along with the increase that distributed Web service and cloud computing are used, third party applies the resource that conventionally need to access these trust server.OAuth is a kind of open protocol (the Internet request annotation (RFC) 5849), and it can make user between different web sites, share its private data and voucher thereof, and only public data in the originating website of save data.Specifically, OAuth agreement allows user to share and is stored in the privately owned resource on a website with other website, and not for example, to the voucher (, username and password) of preserving website outside the website of user data and disclose user.Adopt OAuth can strengthen user's privacy and fail safe as the website of one of its authentication protocol.In order to realize this function, OAuth introduces the 3rd role to traditional client-server authentication model:, and Resource Owner.In OAuth model, client computer (be not Resource Owner, but represent its operation) request access is controlled by Resource Owner but by the resource of trust server.In addition, OAuth allows not only checkout resource owner mandate of server, but also the identity of the client computer of request is sent in check.
As extra background, can be that the application of the target of above-mentioned agreement can be arranged in identical or different Web environment, and there is different authentication mechanisms and different requirements.Not restriction, target application can be arranged in enterprise, or can be arranged in the operating environment based on cloud.Cloud computing is a kind of service offering pattern, for access to netwoks conveniently, is as required carried out in the configurable computational resource pond of sharing.Configurable computational resource is to carry out the minimum mutual resource that gets final product rapid deployment and release with minimum management cost or with ISP, for example, can be network, the network bandwidth, server, processing, internal memory, storage, application, virtual machine and service.Cloud computing environment is service-oriented, and feature concentrates on the interoperability of Stateless, low coupling, modularity and the meaning of one's words.The core of cloud computing is the architecture that comprises interconnecting nodes network.Representative cloud computing node shown in Fig. 2 above.Cloud computing architecture generally includes one group of function level of abstraction, comprises hardware/software layer, virtual level, management level and operating load layer.Virtual level provides a level of abstraction, and this layer can provide the example of following pseudo-entity: virtual server, virtual memory, virtual network (comprising virtual private networks), virtual application and operating system, and virtual client.The computational resource that management level are provided for executing the task in cloud computing environment and the Dynamic Acquisition of other resource.Operating load layer provides cloud computing environment function in the cards.Conventionally, representative cloud computing environment has one group of Premium Features assembly, and these assemblies comprise front end identity manager, business support service (BSS) functional unit, operation support service (OSS) functional unit and calculate cloud assembly.Identity manager is responsible for docking with requesting clients to Identity Management is provided, and this assembly can use one or more known systems realizations, and these systems for example comprise can be from being positioned at New York A Mengke's company obtains federated Identity Manager (TFIM).In appropriate circumstances, TFIM can be used to other cloud assembly that F-SSO is provided.Business support serviced component provides some management function, for example charging support.Operation supports serviced component to be used for providing supply and the management of other cloud assembly (for example virtual machine (VM) example).Cloud assembly represents the normally main computational resource of a plurality of virtual machine instance, and these virtual machine instance are for carrying out the target application that can access by cloud.Use one or more database storage directories, daily record and other operational data.All these assemblies (comprising front end identity manager) are all arranged in cloud " ", but and nonessential like this.
automatic agreement based on strategy
Use the above as a setting, describe now the automatic agreement technology based on strategy of the present disclosure.As described; in this method; classification that can for example, based on one or more criterions (the previous authorization decision that Resource Owner carries out) and/or one or more and client associations, automatically authorizes and agrees to carry out this type of access for client computer (the possessory locked resource of request access).As will be seen, this method realizes agreement automatically (or " automatically agreeing to ") and does not need Resource Owner to intervene for following client access request.
As shown in Figure 3; in basic OAuth example (representative); Resource Owner 300 is operator's (being people conventionally), and it wishes to control the access of 302 pairs of specific locked resources 304 that provide and be protected at Resource Server 306 places of client computer.Resource Server 306 is following entities: it is by making possessory locked resource only can be used for protecting these resources through the client computer of suitable authentication and authorization.Client computer is operator's (being generally website), and it wishes the locked resource at access resources server 306 places.Authorization server 308 (for example, identity provider) is the entity of issuing access token (in OAuth).Access token is data object, the mandate that client computer is authenticated and asserts its access certain resources to Resource Server 306 by it.Other similar agreement is used the data object of other type to realize this object.Access token is being restricted aspect the scope of authority and duration conventionally.Resource Server 306 and authorization server 308 can be same or different servers, and they can be positioned at together or away from each other.In known technology, Resource Owner can authorize agreement for the possessory locked resource of client access.As will be described, the target of technology described here is to make process automation (if possible) that authorize to agree to, so that when specific client wishes to obtain resource, does not need certain and Resource Owner to contact.
According to the disclosure and for this purpose, in system, comprise other computing element.As shown in Figure 3, system also comprises " policy engine " 310.Policy engine 310 is computational entity (or computational entity set), and Resource Owner can, in order to define one or more strategies, when client requests locked resource, should apply these strategies.Conventionally, policy engine (being sometimes referred to as " engine " at this) is realized at authorization server place, for example, as being stored in computer storage and the computer software programs of being carried out by one or more hardware elements or process.Resource Owner can be initiatively (that is, and definition strategy in advance), then by application of policies in one or more client computer.But, in typical use-case and as will be described, Dynamic Definition strategy, specifically, when Resource Owner authorizes specific agreement for specific client first.In this dynamic approach; when contacting with Resource Owner first, to authorize be that the first client computer (request access locked resource) is authorized while agreeing to, for offering an opportunity, the owner follow-uply determining whether whether to use this specific decision-making can other client computer of automatic authorization time to indicate.If then Resource Owner indicates his or her decision-making to use current agreement to authorize in future, the one or more inputs based on receiving from Resource Owner, and based on other service of client computer classified information or source, automatically generate suchlike strategy alternatively.These information services for example comprise that the classifying content service of URL being classified according to different content type (for example, IBM X-Force URL taxonomy database), by the website of one or more " labels " and certain kinds or type (for example, " sports " label) associated field mark service, can be queried to guarantee the prestige service of URI authenticity, can be queried to judge whether client requests meets the privacy policy service of some privacy or other safety criterion, can be queried so that the client relationship service of the character of any relation between definite the first client computer and the second client computer etc., and their combination.Once define strategy; one or more following client computer (also attempting to access locked resource) then obtain (at least one had previously been agreed to) interests; that is, by the application in engine based on strategy, the automatic authorization of the possessory locked resource of potential acquisition access resources.
As will be described, preferably, after creating, specific policy (being sometimes referred to as " delegated strategy " at this) can the interactive mode based on Resource Owner be agreed to custom or other factors and is dynamically changed.
Now by the mode of example, technology is herein described.Typical use-case is as follows.Specifically, suppose that Resource Owner has been that the first client computer (for example website espn.com (Sports Sites)) is authorized (that is, providing agreement), so as from authorization server (for example, third party's social networks account, for example ) access one or more locked resources (for example, possessory e-mail address, name, address etc.).When grant authorization (be preferably interactive) and according to the disclosure, for Resource Owner for example offers an opportunity, so that grant access " website with similar classification " (" all Sports Sites ") for example, or access espn.com client computer is confirmed as belonging to any other client computer classification or classification of its part.Preferably, and as described in more detail below, and policy engine and/or authorization server are responsible for carrying out client computer classification.Subsequently, the second client computer (for example website fifa.com) is attempted the locked resource (for example, his or her e-mail address) from possessory social networks account access Resource Owner.When client computer is redirected to the mandate agreement page by possessory Web browser, authorization server is for example for client computer " type " execution analysis.Based on this, analyze, agreement is provided automatically, for example, because the second client computer fifa.com (the same with espn.com) is also Sports Sites, and Resource Owner had previously authorized the first client access possessory (in addition) locked resource.As seen in this simplified example sight, client computer is classified as Sports Sites, and solution allows Resource Owner to provide automatic agreement for for example belonging to the client computer of Sports Sites, and needn't all these similar client computer of manual authorisation.In this example, Resource Owner is only required to be the explicit mandate of the first client computer, and subsequent client receives automatic authorization, if for example they belong to identical classification and send the request with the theme of previous agreement with identical (or may be less) scope.
Make in this way, Resource Owner carries out effective and fine-grained control to client access locked resource.Therefore, for example this method allows Resource Owner to select only to allow website (for example website of bank client computer) access locked resource information (may have high value) highly credible and that enjoy a good reputation.As mentioned above, the mode of the automatic authorization of the possessory locked resource of client computer acquisition access resources is the engine based on authorization server place preferably, and Resource Owner can help definition strategy in authorization server.As mentioned above, the interactive mode based on user is agreed to custom, incrementally knows this delegated strategy.
As shown in Figure 4, there is Resource Owner 400, attempt the locked resource 404 at access resources server 406 places client computer 402, realize authorization server 408 and the policy engine 410 of the agreement such as OAuth.The use of OAuth is only descriptive, for example, because technology is herein worked together with other similar agreement (OpenID).In this example, suppose that mandate/Resource Server is social networks website.In step (1), client computer 402 (for example, espn.com) is wanted the possessory locked resource of access resources (for example, name and e-mail address).In step (2), Resource Owner is redirected to social networks website and is required Resource Owner's authorized client.In step (3), whether query strategy engine previously provided agreement to judge.In this example, suppose not exist this agreement.In step (3), policy engine also, such as by carrying out Redirect URL analysis, passing through the above-mentioned one or more information sources of inquiry etc., is carried out client computer classification.After completing classification, authorization server judges whether the mandate of access locked resource needs possessory agreement.In this sight, and because not for this client computer provides previous agreement, in step (4), for agreement, point out client computer.In addition, now Resource Owner can be provided in and determines whether the indication that can use current agreement can other client computer of automatic authorization time.In step (5), authorization server receives this and agrees to (and can use this agreement to determine whether the indication that can authorize subsequently other client computer).As response, authorization server returns to token (when using OAuth) to client computer.This token is provided conventionally in HTTP redirection, and then HTTP redirection turns back to the locked resource shown in Resource Server and enable access by client computer.
With reference now to Fig. 5,, suppose that the second client computer 502 (for example, fifa.com) need to access locked resource.In step (1), client computer is redirected to social networks website by Resource Owner (user).In step (2), social networks website is for the Redirect URL execution analysis of client computer, and uses the policy engine inspection policy of having described.Based on this, analyze, determine that the automatic authorization for the second client computer is suitable, for example, because the second client computer is identified as with the first client computer and belongs to identical category, and request scope is not more than the agreement scope of previously having authorized.Then, in step (3), authorization server returns to token to client computer.Conventionally and as mentioned above, in HTTP redirection, token is turned back to client computer.In step (4), the second client computer is turned back to Resource Server, token is provided, and then obtains the access of locked resource to complete described process.
As shown in the example scenarios in Fig. 3 and Fig. 4, when realizing policy engine method of the present disclosure, do not need to seek advice from Resource Owner to obtain the explicit agreement to the subsequent access request of the second client computer.This provides intelligence " automatically to agree to " decision-making, and this decision-making compared with prior art provides significant advantage, in the prior art, in the time of need to agreeing to, all must seek advice from Resource Owner at every turn.
Fig. 6 illustrates the process streams of the operation of policy engine of the present disclosure.This process streams is generally corresponding to the step in Fig. 5 (2).Routine starts in step 600 conventionally, now the Resource Owner who navigates to client stations is redirected to authorization server so that assessment agreement problem (that is, whether allowing the client stations access a certain locked resource associated with Resource Owner).In step 602, authentication Resource Owner.Then in step 604, carry out test and automatically agree to determine whether to send previously.If sent previous agreement, routine jumps to step 606 to judge whether the scope of requested agreement belongs to other scope (comparing with previous agreement).If the test result in step 606 is sure, in step 608 routine, continue.If the test result in step 606 negates, allow access and without more multioperation.When the test in step 604 is, while negating judgement, also to arrive step 608.In step 608, conventionally, by analyzing Redirect URL, carry out client computer classification.Then in step 610, routine continues to judge the definite classification of step 608 and the request scope of being given in, and previously whether has authorized the agreement to this classification/scope.If do not authorized, in step 612, routine continues to point out Resource Owner to agree to.But if server had previously sent the automatic agreement to this classification/scope, routine jumps to step 614 to process one or more other strategies, such as privacy, prestige etc.Therefore,, in step 616, carry out test to judge that classification/scope is whether in strategy.If the test result in step 616 negates that routine turns back to step 612 so that prompting Resource Owner agrees to.If indicate classification/scope in strategy in the test result of step 616, routine is redirected back to client computer and agreement by Resource Owner, means that client computer has the mandate of access locked resource.This is step 618, and this step completes described process.
When needs point out Resource Owner to agree to, in step 620, carry out test to judge whether Resource Owner has sent agreement.If sent, in step 622, routine continues client computer to be added to " automatically agreeing to " list.As required, now routine is also upgraded one or more classifications and/or one or more strategy so that the agreement that reflection Resource Owner newly sends.This renewal can be essential, because what can be New Client type and authorize agreement for now.Then, routine continues step 618, as discussed previously.
As the skilled artisan will appreciate, the best resource owner agrees to that decision-making experience is by path 600,602,604,608,610,614,616 and 618.
The character of " locked resource " and type can change, and not as restriction of the present disclosure.Conventionally, Resource Owner's locked resource comprises the data such as name, address, e-mail alias, account number, consensus data.
Policy engine can be implemented as a part for authorization server or is embodied as its annex.
Technology is herein not limited to the client computer (for example website) of particular type.Can otherwise realize client computer, for example, with DeviceMode, realize, as the mobile phone of suitable supply, flat computer, TV, intelligent vehicle or miscellaneous equipment.
As mentioned above, preferably, policy engine utilizes one or more client computer classification source or service can continue automatic agreement to determine whether.As mentioned above, in one embodiment, can realize client computer classification based on redirected URI classification.Such as using URL taxonomy database, by field mark etc., URI be classified.IBM X-Force provides the URL that can be queried taxonomy database.Open DNS field mark can be for mark website.In above-mentioned example, website espn.com and fifa.com can be marked as " sports ".Step in Fig. 4 (3), then applicable strategy can state that all websites with label " sports " can for example, from social networks site access locked resource (, e-mail address and name).Because fifa.com is also marked as " sports " website, follows the step (2) (authentication policy) in execution graph 5, and allow the possessory e-mail address of fifa.com automatic access and name.But, if be marked as the 3rd website of " sports ", then do not attempt accessing these resources, must first point out the owner to authorize this website.
Also as mentioned above, another information source or service can be prestige services.Can inquire about this type of service to judge whether be redirected URI enjoys a good reputation and meet other criterion (for particular range).As everyone knows, can inquire about prestige service-Engine to guarantee the authenticity of URI.Whether take above-mentioned example scenarios, authorization server can be considered as URI by being redirected URI, and then use this URI checking client computer true.Specifically, use the inspection of prestige service-Engine to be redirected URI, this engine can be the service that third party provides.In the example of Fig. 3, suppose that espn.com has the associated URI without any malice attempt in the above.In step (3), strategy can state that all websites with the redirected URI attempting without any malice can be from the possessory locked resource of social networks site access (a plurality of).Then, if fifa.com has the not redirected URI of malice attempt, allow these resources of this site access, as previously mentioned.
Another information source can be privacy policy information service.In a kind of alternative, privacy policy can be associated with authorization server itself.It is those realizations based on P3P, ICRA etc. that the known technology of privacy policy service is realized.In the example in field mark and prestige, can be achieved as follows strategy: possessory private data can be accessed in all websites of sharing identical privacy policy of its statement.In a kind of example scenarios, can use such as the service of safe network browsing API and so on, judges that whether particular station (being redirected URI) is enough credible to allow its access private data.
As another information source, can obtain and check client relationship data, to determine that requesting clients and other have been awarded the relation of the client computer of accessing locked resource (a plurality of).If strategy comprises relation data, can check this relation data to judge and whether should authorize automatic agreement.
Specific policy can be realized one or more in above-mentioned information source.
Put it briefly, policy engine is safeguarded following information, the classification of this information association client computer, client computer, the scope of previously having agreed to, any relation data and then can be for defining other data of one or more strategies.Generate in the manner described, safeguard, renewal and application strategy, to judge then whether can provide as the New Client of request access locked resource automatic agreement.
Although described subject technology by example in the context of OAuth use-case, this is also unrestricted.Can realize subject technology with other use-case, for example, at service provider place, assert the F-SSO agreement of user identity.These F-SSO agreements for example comprise the resource request of OpenID, SAML (Post/ member) or OAuth protection.
Fig. 7 illustrates the policy management system that wherein can realize abnormal work stream of the present disclosure.One or more machines that can operate in computing environment as shown in Figure 1 across example are realized system 700.Conventionally, described system comprises tactical management point (PAP) 702, policy decision point (PDP) 704 and policy enforcement point (PEP) 706.Conventionally, tactical management point 702 is agreed to strategy for defining, and agrees to that strategy can be designated as one group of XACML policy expression.The subject attribute that this strategy use provides from user library 708, and during the operation receiving from policy information point (PIP) 710 and environmental data.Policy decision point (PDP) 704 receives the XACML policy lookup that similar information and response receive from policy enforcement point (PEP) 706, so that for theme and the specific operation implementation strategy that starts for theme.PEP706 realizes required agreement workflow.In a kind of business of the method realizes, PAP702 is by BM security Policy Manager (TSPM) policy service or control desk are realized, and PDP704 realizes in security service when TSPM moves, and PEP is embodied as the TSPM plug-in unit of Application Server.
Disclosed technology provides a plurality of advantages.By using this technology, in the authorisation step of each client computer, Resource Owner does not need to intervene.System is " intelligence ", because it classifies to client computer, and the classification based under client computer provides mandate for client computer.In order to promote this process, Resource Owner's authorization decision is offered to engine, this engine judges whether Resource Owner needs other mandate.The method promotes reliable, the available and extendible managed agreement function/service of supply.
Above-mentioned functions can be implemented as independently method, for example, and the function based on software of being carried out by processor, or can be provided as managed service (being included as the Web service via SOAP/XML interface).Specific hardware described here and software are realized details only for exemplary purpose, are not intended to limit the scope of described theme.
More generally, computing equipment in disclosed context of the present invention is all the data handling systems (example as shown in Figure 2) that comprise hardware and software, and these entities for example, communicate with one another by network (internet, Intranet, extranet, dedicated network) or any other communication media or link.Application in data handling system provides the machine support to Web and other known service and agreement, includes but not limited to the support to HTTP, FTP, SMTP, SOAP, XML, WSDL, SAML, WS-Trust, UDDI and WSFL etc.Can be from World Wide Web Consortium (W3C) acquisition about the information of SOAP, WSDL, UDDI and WSFL, this alliance is responsible for exploitation and safeguards these standards; About the further information of HTTP, FTP, SMTP and XML can obtain from internet engineering task group (IETF).Suppose to be familiar with these known standard and agreements.
Scheme described here can realize or realize in conjunction with these architectural frameworks in the various server side architectural frameworks outside the architecture based on cloud.These architectural frameworks include but not limited to simple n coating systems framework, web portal, association system etc.
As shown in example above, one or more F-SSO functions can be in cloud trustship or in the outside of cloud.
More generally, the form of the embodiment that theme described here can be taked complete hardware implementation example, complete implement software example or comprise hardware and software element.In a preferred embodiment, abnormal detection function is realized with software, and described software includes but not limited to firmware, resident software, microcode etc.The data of checkout equipment retrieval can be configured to data structure (for example, array, lists of links etc.), and are for example stored in, in data repository (computer storage).In addition, as mentioned above, the F-SSO function of enhancing described here can be taked the form of computer program, this computer program can from provide program code computer can with or computer-readable medium access to used or be combined with it by computer or any instruction execution system.For the object of this description, computer can with or computer-readable medium can be any can comprising or stored program device, this program can be used or be combined with it by instruction execution system, device or equipment.Described medium can be electricity, magnetic, optical, electrical magnetic, infrared ray or semiconductor system (or device or equipment).The example of computer-readable medium comprises semiconductor or solid-state memory, tape, movable computer dish, random access memory (RAM), read-only memory (ROM), hard disc and CD.The current example of CD comprises compact disk-read-only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.Computer-readable medium is physical items.
Computer program can be to have program command (or program code) to realize the product of one or more described functions.These instructions or code can by network after remote data processing system is downloaded, be stored in the computer-readable recording medium in data handling system.Or these instructions or code can be stored in the computer-readable recording medium in server data treatment system, and be adapted to pass through that network downloads to Remote data processing to use in the computer-readable recording medium in remote system.
In an exemplary embodiment, agency and F-SSO assembly are realized in special-purpose computer, in the software of preferably carrying out at one or more processors, realize.Associated configuration (level of security, state, timer) is stored in associated data repository.Maintenance software in the one or more data repositories with one or more relational processors or memory also, and described software can be implemented as one or more computer programs.
As mentioned above, policy engine function can be implemented as annex or the expansion of existing access manager or tactical management solution.
Although described the particular order of the operation of some embodiment execution of the present invention above, should be understood that this order is exemplary, because alternative can combine some operation with different order executable operations, overlapping some operation etc.In specification, to quoting of given embodiment, indicate described embodiment can comprise particular characteristics, structure or feature, but each embodiment may not necessarily comprise this particular characteristics, structure or feature.
Finally, although described separately the locking assembly of giving of system, it will be understood by those skilled in the art that can be in the grade middle combination or share some function of given instruction, agenda, code portions.
As used herein, " client-side " application should by broad interpretation for refer to application, with the page of this association, or the client-side request of sending to application certain other resource or function of calling." browser " as used herein, not be intended to (for example refer to any particular browser, Internet Explorer, Safari, FireFox etc.), but should for finger is any, can be accessed and show that the client-side of internet accessible resource presents engine by broad interpretation." richness " client computer is often referred to the client side application based on non-HTTP, for example SSH or CFIS client computer.In addition,, although it is mutual conventionally to use HTTP to carry out client-server, this is also unrestricted.The mutual form of client-server can be set to observe Simple Object Access Protocol (SOAP) and by HTTP (passing through public the Internet), FTP transmission, or can use any other reliable transmission mechanism (IBM for example technology and CORBA, to transmit by corporate intranet).By being provided to the hook of Another application, by promoting employment mechanism as plug-in unit, by being linked to mechanism etc., any application described here or function can be realized to the machine code.
After having described our invention, now shown in claimed theing contents are as follows.

Claims (14)

1. a method for agreement is authorized in management to access locked resource, and described locked resource is associated with Resource Owner, and described method comprises:
When receiving the request of access locked resource, described request has scope also and client associations, and execution analysis, to identify the feature of described client computer, is used the computational entity with hardware element to carry out described analysis;
Described feature based on described client computer and the described scope of described request, application strategy is to judge whether described client computer should receive the automatic agreement of the described locked resource of access; And
If based on described strategy, described client computer should receive automatic agreement, returns to given information, and described client computer can obtain to the access of described locked resource and without the explicit agreement from described Resource Owner with described given information.
2. according to the process of claim 1 wherein the Uniform Resource Identifier URI of described analysis based on associated with described request.
3. according to the process of claim 1 wherein that the described feature of described client computer is one of following: client category, territory label, described request are derived from the indication in the source enjoying a good reputation, and described client computer has the indication of given privacy policy.
4. basis the process of claim 1 wherein if described client computer should not receive the described automatic agreement of the described locked resource of access, to described Resource Owner, sends prompting to obtain explicit agreement.
5. according to the method for claim 4, also comprise:
The response of acquisition to described prompting;
When the response receiving described prompting, upgrade described strategy to comprise the classification with described client associations.
6. according to the method for claim 5, also comprise upgrading and agree to that list is to comprise described client computer.
7. according to the process of claim 1 wherein that described given information is OAuth token.
8. a device, comprising:
Processor;
Computer storage; it preserves computer program instructions, and when being carried out by described processor, described computer program instructions is carried out a kind of management and access locked resource authorized to the method for agreement; described locked resource is associated with Resource Owner, and described method comprises:
When receiving the request of access locked resource, described request has scope also and client associations, and execution analysis is to identify the feature of described client computer;
Described feature based on described client computer and the described scope of described request, application strategy is to judge whether described client computer should receive the automatic agreement of the described locked resource of access; And
If based on described strategy, described client computer should receive automatic agreement, returns to given information, and described client computer can obtain to the access of described locked resource and without the explicit agreement from described Resource Owner with described given information.
9. device according to Claim 8, the Uniform Resource Identifier URI of wherein said analysis based on associated with described request.
10. device according to Claim 8, the described feature of wherein said client computer is one of following: client category, territory label, described request are derived from the indication in the source enjoying a good reputation, and described client computer has the indication of given privacy policy.
11. devices according to Claim 8, wherein said method also comprises: if described client computer should not receive the described automatic agreement of the described locked resource of access, to described Resource Owner, send prompting to obtain explicit agreement.
12. according to the device of claim 11, and wherein said method also comprises:
The response of acquisition to described prompting;
When the response receiving described prompting, upgrade described strategy to comprise the classification with described client associations.
13. according to the device of claim 12, and wherein said method also comprises upgrading agrees to that list is to comprise described client computer.
14. devices according to Claim 8, wherein said given information is OAuth token.
CN201410185123.7A 2013-05-08 2014-05-05 Method and apparatus for the automatic agreement based on strategy Active CN104144158B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/889,707 US9264436B2 (en) 2013-05-08 2013-05-08 Policy-based automated consent
US13/889,707 2013-05-08

Publications (2)

Publication Number Publication Date
CN104144158A true CN104144158A (en) 2014-11-12
CN104144158B CN104144158B (en) 2017-09-29

Family

ID=51853226

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410185123.7A Active CN104144158B (en) 2013-05-08 2014-05-05 Method and apparatus for the automatic agreement based on strategy

Country Status (2)

Country Link
US (1) US9264436B2 (en)
CN (1) CN104144158B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506487A (en) * 2014-11-21 2015-04-08 北京工业大学 Credible execution method for privacy policy in cloud environment
CN108701199A (en) * 2016-02-23 2018-10-23 开利公司 Based on tactful mandate workflow automation and click simplification
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment
CN110197075A (en) * 2018-04-11 2019-09-03 腾讯科技(深圳)有限公司 Resource access method, calculates equipment and storage medium at device

Families Citing this family (82)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9654473B2 (en) 2013-06-28 2017-05-16 Bmc Software, Inc. Authentication proxy agent
US20150020178A1 (en) * 2013-07-12 2015-01-15 International Business Machines Corporation Using Personalized URL for Advanced Login Security
US10185584B2 (en) * 2013-08-20 2019-01-22 Teleputers, Llc System and method for self-protecting data
US9569139B1 (en) * 2013-09-26 2017-02-14 EMC IP Holding Company LLC Methods and apparatus for shared service provisioning
US10395024B2 (en) * 2014-03-04 2019-08-27 Adobe Inc. Authentication for online content using an access token
US9680805B1 (en) * 2014-05-07 2017-06-13 Skyport Systems, Inc. Method and system for key management
US9497222B2 (en) * 2014-05-20 2016-11-15 International Business Machines Corporation Identification of web form parameters for an authorization engine
US9306939B2 (en) * 2014-05-30 2016-04-05 Oracle International Corporation Authorization token cache system and method
US9906558B2 (en) 2015-06-24 2018-02-27 International Business Machines Corporation User managed access scope specific obligation policy for authorization
US10257143B2 (en) 2015-06-30 2019-04-09 Vmware, Inc. Methods and apparatus to generate knowledge base articles
US20170004182A1 (en) 2015-06-30 2017-01-05 Vmware, Inc. Allocating, configuring and maintaining cloud computing resources using social media
US10075442B2 (en) * 2015-06-30 2018-09-11 Vmware, Inc. Methods and apparatus to grant access to cloud computing resources
US20170033997A1 (en) 2015-07-31 2017-02-02 Vmware, Inc. Binding Policies to Computing Resources
US10250539B2 (en) 2015-08-04 2019-04-02 Vmware, Inc. Methods and apparatus to manage message delivery in enterprise network environments
US10841268B2 (en) 2015-08-04 2020-11-17 Vmware, Inc. Methods and apparatus to generate virtual war rooms via social media in enterprise network environments
US10542117B2 (en) 2015-09-03 2020-01-21 Verisign, Inc. Systems and methods for providing secure access to shared registration systems
US10038722B2 (en) * 2015-09-03 2018-07-31 Vmware, Inc. Access control policy management in a cloud services environment
US9923888B2 (en) * 2015-10-02 2018-03-20 Veritas Technologies Llc Single sign-on method for appliance secure shell
US11329821B2 (en) 2015-12-28 2022-05-10 Verisign, Inc. Shared registration system
US10878079B2 (en) 2016-05-11 2020-12-29 Oracle International Corporation Identity cloud service authorization model with dynamic roles and scopes
US9838377B1 (en) 2016-05-11 2017-12-05 Oracle International Corporation Task segregation in a multi-tenant identity and data security management cloud service
US9838376B1 (en) 2016-05-11 2017-12-05 Oracle International Corporation Microservices based multi-tenant identity and data security management cloud service
US10341410B2 (en) 2016-05-11 2019-07-02 Oracle International Corporation Security tokens for a multi-tenant identity and data security management cloud service
US10581820B2 (en) 2016-05-11 2020-03-03 Oracle International Corporation Key generation and rollover
US10425386B2 (en) 2016-05-11 2019-09-24 Oracle International Corporation Policy enforcement point for a multi-tenant identity and data security management cloud service
US9781122B1 (en) 2016-05-11 2017-10-03 Oracle International Corporation Multi-tenant identity and data security management cloud service
US10454940B2 (en) 2016-05-11 2019-10-22 Oracle International Corporation Identity cloud service authorization model
US11157641B2 (en) * 2016-07-01 2021-10-26 Microsoft Technology Licensing, Llc Short-circuit data access
CN106899650B (en) * 2016-07-04 2020-03-27 阿里巴巴集团控股有限公司 Data updating method and device
US10585682B2 (en) 2016-08-05 2020-03-10 Oracle International Corporation Tenant self-service troubleshooting for a multi-tenant identity and data security management cloud service
US10516672B2 (en) 2016-08-05 2019-12-24 Oracle International Corporation Service discovery for a multi-tenant identity and data security management cloud service
US10255061B2 (en) 2016-08-05 2019-04-09 Oracle International Corporation Zero down time upgrade for a multi-tenant identity and data security management cloud service
US10735394B2 (en) 2016-08-05 2020-08-04 Oracle International Corporation Caching framework for a multi-tenant identity and data security management cloud service
US10721237B2 (en) 2016-08-05 2020-07-21 Oracle International Corporation Hierarchical processing for a virtual directory system for LDAP to SCIM proxy service
US10530578B2 (en) 2016-08-05 2020-01-07 Oracle International Corporation Key store service
US10263947B2 (en) 2016-08-05 2019-04-16 Oracle International Corporation LDAP to SCIM proxy service
US10484382B2 (en) 2016-08-31 2019-11-19 Oracle International Corporation Data management for a multi-tenant identity cloud service
US10594684B2 (en) 2016-09-14 2020-03-17 Oracle International Corporation Generating derived credentials for a multi-tenant identity cloud service
US10846390B2 (en) 2016-09-14 2020-11-24 Oracle International Corporation Single sign-on functionality for a multi-tenant identity and data security management cloud service
US10511589B2 (en) 2016-09-14 2019-12-17 Oracle International Corporation Single logout functionality for a multi-tenant identity and data security management cloud service
US10484243B2 (en) 2016-09-16 2019-11-19 Oracle International Corporation Application management for a multi-tenant identity cloud service
US10341354B2 (en) 2016-09-16 2019-07-02 Oracle International Corporation Distributed high availability agent architecture
US10791087B2 (en) 2016-09-16 2020-09-29 Oracle International Corporation SCIM to LDAP mapping using subtype attributes
US10567364B2 (en) 2016-09-16 2020-02-18 Oracle International Corporation Preserving LDAP hierarchy in a SCIM directory using special marker groups
WO2018053258A1 (en) 2016-09-16 2018-03-22 Oracle International Corporation Tenant and service management for a multi-tenant identity and data security management cloud service
US10445395B2 (en) 2016-09-16 2019-10-15 Oracle International Corporation Cookie based state propagation for a multi-tenant identity cloud service
US10904074B2 (en) 2016-09-17 2021-01-26 Oracle International Corporation Composite event handler for a multi-tenant identity cloud service
US10972456B2 (en) 2016-11-04 2021-04-06 Microsoft Technology Licensing, Llc IoT device authentication
US10528725B2 (en) 2016-11-04 2020-01-07 Microsoft Technology Licensing, Llc IoT security service
US10261836B2 (en) 2017-03-21 2019-04-16 Oracle International Corporation Dynamic dispatching of workloads spanning heterogeneous services
US10454915B2 (en) 2017-05-18 2019-10-22 Oracle International Corporation User authentication using kerberos with identity cloud service
US10530771B2 (en) * 2017-06-30 2020-01-07 Verizon Patent And Licensing Inc. System and method of inter-account resource access management
US10951656B2 (en) 2017-08-16 2021-03-16 Nicira, Inc. Methods, apparatus and systems to use artificial intelligence to define encryption and security policies in a software defined data center
US10348858B2 (en) 2017-09-15 2019-07-09 Oracle International Corporation Dynamic message queues for a microservice based cloud service
US10831789B2 (en) 2017-09-27 2020-11-10 Oracle International Corporation Reference attribute query processing for a multi-tenant cloud service
US10834137B2 (en) 2017-09-28 2020-11-10 Oracle International Corporation Rest-based declarative policy management
US11271969B2 (en) 2017-09-28 2022-03-08 Oracle International Corporation Rest-based declarative policy management
US10705823B2 (en) 2017-09-29 2020-07-07 Oracle International Corporation Application templates and upgrade framework for a multi-tenant identity cloud service
US10715564B2 (en) 2018-01-29 2020-07-14 Oracle International Corporation Dynamic client registration for an identity cloud service
US10931656B2 (en) 2018-03-27 2021-02-23 Oracle International Corporation Cross-region trust for a multi-tenant identity cloud service
US11165634B2 (en) 2018-04-02 2021-11-02 Oracle International Corporation Data replication conflict detection and resolution for a multi-tenant identity cloud service
US10798165B2 (en) 2018-04-02 2020-10-06 Oracle International Corporation Tenant data comparison for a multi-tenant identity cloud service
US11258775B2 (en) 2018-04-04 2022-02-22 Oracle International Corporation Local write for a multi-tenant identity cloud service
US11012444B2 (en) 2018-06-25 2021-05-18 Oracle International Corporation Declarative third party identity provider integration for a multi-tenant identity cloud service
US10764273B2 (en) 2018-06-28 2020-09-01 Oracle International Corporation Session synchronization across multiple devices in an identity cloud service
US11693835B2 (en) 2018-10-17 2023-07-04 Oracle International Corporation Dynamic database schema allocation on tenant onboarding for a multi-tenant identity cloud service
US11321187B2 (en) 2018-10-19 2022-05-03 Oracle International Corporation Assured lazy rollback for a multi-tenant identity cloud service
CN109525583B (en) * 2018-11-26 2021-03-12 中国科学院数据与通信保护研究教育中心 False certificate detection method and system for third-party identity management providing service system
US10901918B2 (en) * 2018-11-29 2021-01-26 International Business Machines Corporation Constructing flexibly-secure systems in a disaggregated environment
US11651357B2 (en) 2019-02-01 2023-05-16 Oracle International Corporation Multifactor authentication without a user footprint
US11061929B2 (en) 2019-02-08 2021-07-13 Oracle International Corporation Replication of resource type and schema metadata for a multi-tenant identity cloud service
US11321343B2 (en) 2019-02-19 2022-05-03 Oracle International Corporation Tenant replication bootstrap for a multi-tenant identity cloud service
US11669321B2 (en) 2019-02-20 2023-06-06 Oracle International Corporation Automated database upgrade for a multi-tenant identity cloud service
US11792226B2 (en) 2019-02-25 2023-10-17 Oracle International Corporation Automatic api document generation from scim metadata
US11423111B2 (en) 2019-02-25 2022-08-23 Oracle International Corporation Client API for rest based endpoints for a multi-tenant identify cloud service
JP7301668B2 (en) * 2019-08-07 2023-07-03 キヤノン株式会社 system, control method, program
US11870770B2 (en) 2019-09-13 2024-01-09 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration
US11687378B2 (en) 2019-09-13 2023-06-27 Oracle International Corporation Multi-tenant identity cloud service with on-premise authentication integration and bridge high availability
US11611548B2 (en) 2019-11-22 2023-03-21 Oracle International Corporation Bulk multifactor authentication enrollment
JP7406086B2 (en) * 2020-01-28 2023-12-27 富士通株式会社 Data access control program, data access control method, and authorization server
EP4193281A1 (en) * 2020-08-07 2023-06-14 ARRIS Enterprises LLC Multi-modal approach to a secure and closed solution monitoring and control of user data
WO2022032092A1 (en) * 2020-08-07 2022-02-10 Arris Enterprises Llc Multi-modal approach to a secure and closed solution monitoring and control of user data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040003072A1 (en) * 2002-06-28 2004-01-01 Microsoft Corporation Consent mechanism for online entities
US20070038765A1 (en) * 2002-02-27 2007-02-15 Microsoft Corporation User-centric consent management system and method
CN101102257A (en) * 2006-07-08 2008-01-09 国际商业机器公司 Method and device for transmitting data objects
US20130086645A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Oauth framework

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE602004022817D1 (en) * 2003-07-11 2009-10-08 Computer Ass Think Inc PROCESS AND SYSTEM FOR PROTECTION FROM COMPUTER VIRUSES
US7590705B2 (en) 2004-02-23 2009-09-15 Microsoft Corporation Profile and consent accrual
US8464311B2 (en) 2004-10-28 2013-06-11 International Business Machines Corporation Method and system for implementing privacy notice, consent, and preference with a privacy proxy
US10460085B2 (en) * 2008-03-13 2019-10-29 Mattel, Inc. Tablet computer
US8402508B2 (en) 2008-04-02 2013-03-19 Microsoft Corporation Delegated authentication for web services
US8276184B2 (en) * 2008-08-05 2012-09-25 International Business Machines Corporation User-centric resource architecture
US9186587B2 (en) * 2012-10-04 2015-11-17 Reza Jalili Distribution of electronic game elements
US9497184B2 (en) * 2011-03-28 2016-11-15 International Business Machines Corporation User impersonation/delegation in a token-based authentication system
US20140133656A1 (en) * 2012-02-22 2014-05-15 Qualcomm Incorporated Preserving Security by Synchronizing a Nonce or Counter Between Systems
US20130217333A1 (en) * 2012-02-22 2013-08-22 Qualcomm Incorporated Determining rewards based on proximity of devices using short-range wireless broadcasts
US9148429B2 (en) * 2012-04-23 2015-09-29 Google Inc. Controlling access by web applications to resources on servers
US20140041055A1 (en) * 2012-08-06 2014-02-06 Avaya Inc. System and method for online access control based on users social network context
US20140298486A1 (en) * 2013-03-26 2014-10-02 Pottermore Limited Granting access to digital content obtained from a third-party service

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070038765A1 (en) * 2002-02-27 2007-02-15 Microsoft Corporation User-centric consent management system and method
US20040003072A1 (en) * 2002-06-28 2004-01-01 Microsoft Corporation Consent mechanism for online entities
CN101102257A (en) * 2006-07-08 2008-01-09 国际商业机器公司 Method and device for transmitting data objects
US20130086645A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Oauth framework
US20130086657A1 (en) * 2011-09-29 2013-04-04 Oracle International Corporation Relying party platform

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104506487A (en) * 2014-11-21 2015-04-08 北京工业大学 Credible execution method for privacy policy in cloud environment
CN104506487B (en) * 2014-11-21 2017-12-08 北京工业大学 The credible execution method of privacy policy under cloud environment
CN108701199A (en) * 2016-02-23 2018-10-23 开利公司 Based on tactful mandate workflow automation and click simplification
CN110197075A (en) * 2018-04-11 2019-09-03 腾讯科技(深圳)有限公司 Resource access method, calculates equipment and storage medium at device
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment
CN109033774B (en) * 2018-08-31 2020-08-07 阿里巴巴集团控股有限公司 Method and device for acquiring and feeding back user resources and electronic equipment

Also Published As

Publication number Publication date
CN104144158B (en) 2017-09-29
US20140337914A1 (en) 2014-11-13
US9264436B2 (en) 2016-02-16

Similar Documents

Publication Publication Date Title
CN104144158A (en) Policy-based automated consent method and device
EP3854047B1 (en) Supervised learning system for identity compromise risk computation
US9722991B2 (en) Confidence-based authentication discovery for an outbound proxy
KR101861026B1 (en) Secure proxy to protect private data
US11017088B2 (en) Crowdsourced, self-learning security system through smart feedback loops
US9787659B2 (en) Techniques for secure access management in virtual environments
US9071594B2 (en) Application identity design
US8893291B2 (en) Security through metadata orchestrators
JP2016129037A (en) System and method for application attestation
US20120266239A1 (en) Authorized data access based on the rights of a user and a location
US9917861B2 (en) Enabling access to an enterprise network domain based on a centralized trust
US20130312068A1 (en) Systems and methods for administrating access in an on-demand computing environment
CN115996122A (en) Access control method, device and system
Carminati et al. Trust and share: Trusted information sharing in online social networks
Pöhn et al. Proven and modern approaches to identity management
US9680871B2 (en) Adopting policy objects for host-based access control
Li Context-aware attribute-based techniques for data security and access control in mobile cloud environment
Ranjbar et al. Authentication and authorization for mobile devices
Orawiwattanakul et al. User consent acquisition system for Japanese Shibboleth-based academic federation (GakuNin)
Daniels Identity Management Practices and Concerns in Enterprise Cloud Infrastructures
Wild et al. Proprotect3: An approach for protecting user profile data from disclosure, tampering, and improper use in the context of webid
Saeed Authentication and Authorization Modules for Open Messaging Interface (O-MI)
Olesen et al. Accessing and disclosing protected resources: A user-centric view
Gonzalez-Gil et al. Iotcrawler. managing security and privacy for IoT
Wong et al. Emerging issues and challenges for cloud data at the edge

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190916

Address after: Yin Du Xindeli

Patentee after: HCL Technology Co., Ltd.

Address before: American New York

Patentee before: International Business Machines Corp.